Use SSL for everything.

Here’s a simple question: does your website involve user data?

If the answer is “yes” then you should probably be using SSL. For those not familiar with it, SSL is the encrypted communication channel used for HTTPS traffic (among other things). It prevents third parties—say, the person at the next table over in the coffee shop—from being able to trivially eavesdrop on the contents of requests that happen to pass through public networks on their way to their destination.

Hearing SSL described as such, you might be think that it only needs to be used for pages which involve private data. In that case, here’s another question: does your website involve user logins?

If the answer is “yes” then you should probably be using SSL for every page that is served to a logged in user. Why? Because in order to recognize a logged in user, you’re almost certainly using cookies, and cookies can be eavesdropped as well. Once someone has the cookie, they can just pretend to be the user and request the private data themselves.

Okay, so you need to use SSL for logged-in users, but it’s fine to not use it for anonymous users, right? Third question: are there any pages that both anonymous and logged-in users use?

If so, you should always use SSL for those pages as well. After all, you won’t be able to tell whether the user is anonymous or not until you’ve been able to check for a login cookie, at which point that cookie has already potentially been transmitted.

Of course, there’s a simpler option: just use SSL for everything.

Nowadays, most web applications aren’t CPU bound — they spend the majority of their time waiting for database results or similar. Adding a small amount of CPU overhead for SSL isn’t a problem, and it’s the safest option.